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Note 


The attached version of the NHSCR’s Information Governance Standards 
incorporates the comments made at the last meeting of the Board. Subject to 
further discussion, it will be finalised. 
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Introduction 


Information Governance standards are in place to ensure that NHSCR Scotland 
handles and safeguards personal information. 


This paper will highlight background to the current position and set out the 
standards (pages 4 to 11) as agreed with the Scottish Government Health 
Department and NHS Quality Improvement Scotland (NHS QIS). These 
standards will: 


° Give back office information to Health Care staff to help them to 
trace patients. 
We have access to ten electronic NHS, GROS, CR E/W systems. 
By using these data streams we are able to confirm patient identity 
and therefore ensure the correct movement of patient medical 
records. 


° Support the provision of high quality care by promoting the 
effective and appropriate use of information. 
We work to Caldicott and CSAGS principles. We operate all 
confidentiality of data issues on a strictly ‘need to know’ basis. We 
work with Dr Lorna Ramsay, Associate Specialist PHM (Health 
Informatics), ISD Caldicott Guardian, ISD Clinical Lead for eHealth, 
NCDDP and Information Governance Programme, who acts as a 
Medical advisor to the Registrar General and Privacy Advisory 
Committee. 


° Encourage responsible staff to work closely together, preventing 
duplication of effort and enabling more efficient use of resources. 
All NHSCR staff continually look for ways to improve our working 
practices. We also, hold regular meetings with Practitioner 
Services Divisions and CR England and Wales staff to ensure 
effective, efficient working. 


° Develop support arrangements and provide staff with the tools they 
need to discharge their responsibilities to consistently high 
standards. 

We achieve a high level by monitoring and revising training, 
coaching and mentoring of staff all grades. 


° Let NHSCR understand their own performance and manage 
improvement in a systematic and effective way. 
As part of our confirmation to Health of our value for money service 
we count all work in and out. This informs us of areas where we 
need to take action and adjust priorities. 


NHSCR are currently working to these standards. These help NHS 
organisations comply with the National Information Governance initiative. We 
are making the Information Governance standard available to all of our 
stakeholders. 


About Information Governance 


Information Governance means handling information in a confidential and secure 
manner to appropriate ethical and quality standards. It is important to NHSCR 
Scotland because we collect and use lots of information for administrative, 
research and medical purposes, which contribute to improving people’s health. 
Information Governance is a key issue for all organisations and is fundamental to 
the effective delivery of health and other services. 
We take account of:- 

e The Data Protection Act 1998 

e The Freedom of Information (Scotland) Act 2002 

e Confidentiality: NHSScotland Code of Practice (CSAGS) 

e Records Management 

e Information Security Standard 

e NHS Data Quality Assurance (Data Accreditation) 

e Caldicott Guardians 

e Section 57 of the Local Electoral Administration and Registration 


Services (Scotland) Act 2006 (LEARS Act) 


A governance framework is in place, which promotes the ethical and lawful use 
of information in enhancing decision-making to support and drive improvement. 


Information Governance Policy and Planning 





Standard 





There is a designated Director, Register General, with responsibility for the 
Board’s Information Governance policy and implementation plan. 





The Board has approved an Information Governance policy. 





The Board has agreed a plan for the implementation and monitoring of the 
Information Governance policy. 





The Board’s Information Governance plan includes appropriate training for all 
staff on the elements of Information Governance (e.g. confidentiality, data 
protection, security and professional standards in information collection and 
processing). 





All staff contracts contain clauses that clearly identify staff responsibilities for 
confidentiality, data protection and security. 








Information Governance is embedded in the Board’s business planning cycle and 
risk management agenda. 





Confidentiality 





Standard 





The NHSCR has mechanisms in place to ensure that all employees and other 
individuals participating in the delivery of information are aware of their 
responsibilities described in the NHSScotland Code of Practice on Protecting 
Patient Confidentiality. 





The NHSCR has mechanisms in pace to ensure that information is given to 
inform patients/clients about proposed uses of their personal information. 








The NHSCR has an incident reporting procedure, known, accessible and used by 
all staff. 





Freedom of Information 





Standard 





The GRO(S) has a clearly identified, suitably qualified and supported lead 
individual, Information Manager (0131 314 4621), and responsible for the 
Freedom of Information (Scotland) Act 2002 (FoISA). 








The GRO(S) has mechanisms in place to meet its statutory duties under FoISA. 





A comprehensive system is in place to ensure the secure and confidential 
management of personal information including how it is obtained, recorded, 
used, shared, stored and disposed of in line with current legislation. 











Administrative Records 





Standard 





There is a Senior Manager, Information Manager (0131 314 4621), responsible 
for the implementation of the GRO(S) Records Management policy and 
implementation plan. 





The GRO(S) has agreed a plan for the implementation and monitoring of the 
Records Management policy. 





There are approved Records Management procedures for the closure, disposal 
and retention of documents, which may be enforced only by authorised 
personnel. 








All GRO(S) staff are provided with appropriate information, instruction and 
training on Records Management. 





Patients are informed about how their personal information is recorded and used, 
how to access their personal information, and about their rights to determine how 
their personal information is shared and protected. 


Data Protection 





Standard 





There is a clearly identified, suitably qualified and supported lead individual, 
Information Manager (0131 314 4621), responsible for Data Protection. 








The GRO(S) ensures that all formal contractual arrangements include 
appropriate patient confidentiality, information security and data protection 
requirements for all contractors and support organisations. 





Formal policies are in place to manage situations where consent to share 
information is withheld, and where disclosure of personal information is required 
without consent. 


Caldicott 





Standard 





The NHSCR has a clearly identified, suitably qualified and supported Caldicott 
Guardian, consultant to the Register General on medical and Health care 
confidentiality matters. 





The NHSCR has mechanisms in place to control, monitor and audit access to 
confidential patient information. 








The NHSCR has agreed protocols governing the sharing of patient-identifiable 
information with non-health organisations. 














Information Security 


Information management links clearly into clinical governance arrangements and 
engages staff in the development and application of information and 
communication technology. 


Systems are in place to ensure that staff have access to information to supported 
identity decision-making and facilitate delivery of quality services. 





Standard 





The GRO(S) has a formal risk assessment and management programme. It is 
supported by an Information Security Policy and overseen by senior 
management. 





The GRO(S) has a clearly identified, suitably qualified and supported Information 
Security Officer (ITSO) (0131 314 4621), as part of an active management forum 
giving direction and visible support for initiatives relating to confidentiality, data 
protection and security. 





The GRO(S)/NHSCR follow standards to reduce the risks of human error, theft, 
fraud or misuse or abuse of facilities. All its employees contract to abide by the 
contents of these standards. 





The GRO(S) has procedures in place to prevent unauthorised access, damage 
and interference to its business premises and information. 





The NHSCR management of network communications and operations ensures 
that all responsibilities for operational procedures are fully documented, including 
personnel roles and responsibilities, and the standards and procedures for the 
management and operation of Board networking services. All alteration to 
existing procedures are subject to formal change management and change 
control procedures. 





All NHSCR personnel have defined and documented access rights and other 
security measures to protect the confidentiality, integrity and availability of any 
information processed by computers and communications systems. Business 
requirement for access control are defined and documented. 





The NHS Contract Management Team ensures that the development and 
introduction of new information systems, software, IT projects and IT support 
activities are conducted in a secure manner. 





The NHSCR has clearly defined and documented procedures for managing 
Information Security incidents. 





The NHSCR has a fully managed process in place for developing and 
maintaining business continuity for all its critical infrastructure components and 
core services. 








The NHSCR has appropriate procedures in place to ensure that information 
passed to and from other organisations is done so securely. 








Data Quality 





Standard 





There is an audit trail linking data entered to an individual. 





There are agreed processes and timescales for the correction of errors and 
omissions identified by validation or internal users. 








There is a clearly identified, suitably qualified and supported lead individual 
responsible for data quality, Head of NHSCR, (01387 259820). 





Risk Register 





Risks 





England and Wales move to the NHS Information Centre for Health and Social 
Care and migration to the Personal Demographic Spine (PDS). 





Witness protection cases on NHSCR moving to the Citizen Account 





GROS Extract: That data is used for unauthorised purposes 





GROS: That data security is breached and that details fall into the wrong hands 
and is open to public scrutiny 





Unauthorised access to the NHSCR server 





Loss of information through destruction of Cairnsmore House by fire 





Loss of information through destruction of Cairnsmore House by water 





Accidental disclosure of information by staff 





Intentional disclosure of information by staff 





Accidental disclosure of information on portable media 





Intentional disclosure of information on portable media 





Accidental disclosure of information by data transfer mechanism 





Intentional disclosure of information by data transfer mechanism 





Accidental disclosure of information by e-mail 





Intentional disclosure of information by e-mail 





Accidental disclosure of information by fax 





Intentional disclosure of information by fax 





Accidental loss of information by courier service 





Accidental disclosure of information by Post Office 





Accidental disclosure of information to a visitor to Cairnsmore House 





Intentional disclosure of information by a visitor to Cairnsmore House 





Intruder in Cairnsmore House 








Emergency Services personnel accessing Cairnsmore House 











Related Information 


The source of this document is the NHSScotland Information Governance 
Standards December 2005. 


The NHSScotland Information Governance Website 
www.isdscotland.org/infogov 


The NHSCR website 


http://www.gro-scotland.gov.uk/national-health-service-central-register/index.html 


The NHS paper link 


http:/Awww.nhshealthquality.org/nhsqis/files/CGRM CSF Oct05.pdf 


